Amendments to the claims, 

Listing of all claims pursuant to 37 CFR 1.121(c) 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

What is claimed is: 

1 . (Currently amended) In a system comprising one or more client computers 
connected to the Internet by client premises equipment serving a routing function for 
client computers, a method for managing Internet access based on a specified access 
policy, the method comprising: 

transmitting a plurality of challenges over a period of time challenge from said 
client premises equipment to each client computer, for determining whether a given client 
computer is remains in compliance with said specified access policy during said period of 
time ; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to each of said challenge challenges that has been 
issued; and 

blocking Internet access for any client computer that does not respond 
appropriately to any said challenge issued to it . 

2. (Original) The method of claim 1, wherein a client computer that does not 
respond at all is blocked from Internet access. 

3. (Original) The method of claim 1, wherein a client computer that responds with 
a particular predefined code indicating non-compliance is blocked from Internet access. 

4. (Original) The method of claim 1, wherein a client computer that responds with 
a particular predefined code indicating compliance is permitted Internet access. 

5. (Original) The method of claim 1, further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
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equipment to transmit a challenge to that particular client computer. 

6. (Original) The method of claim 5, wherein said initial message comprises a 
"client hello" packet. 

7. (Original) The method of claim 1, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

8. (Original) The method of claim 1, wherein said access policy specifies rules 
that govern Internet access by the client computers. 

9. (Previously presented) The method of claim 8, wherein said step of blocking 
Internet access includes: 

determining whether permitting Internet access for a given client computer would 
violate any of said rules, and 

if permitting such Internet access would violate any of said rules, denying Internet 
access for that client computer. 

10. (Original) The method of claim 1, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

1 1 . (Original) The method of claim 1 , wherein said access policy specifies which 
applications are allowed Internet access. 

12. (Original) The method of claim 1, wherein said access policy specifies 
applications that are allowed Internet access. 

13. (Original) The method of claim 12, wherein said applications are specified by 
executable name and version number that are acceptable. 
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14. (Original) The method of claim 12, wherein said applications are specified by 
digital signatures that are acceptable. 

15. (Original) The method of claim 14, wherein said digital signatures are 
computed using a cryptographic hash. 

16. (Original) The method of claim 15, wherein said cryptographic hash 
comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic 
hashes. 

17. (Original) The method of claim 1, wherein said access policy specifies 
Internet access activities that are permitted or restricted for applications or versions 
thereof. 

18. (Original) The method of claim 1, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location. 

19. (Original) The method of claim 18 wherein said remote location comprises a 
centralized location for maintaining said access policy. 

20. (Previously presented) The method of claim 1, wherein said step of blocking 
Internet access includes: 

determining, based on identification of a particular client computer or group 
thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

21. (Original) The method of claim 1, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

22. (Original) The method of claim 1, further comprising: 
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redirecting a client computer that is not in compliance with said access policy to a 
sandbox server; and 

informing such client computer that it is not in compliance with said access 

policy. 

23. (Original) The method of claim 22 further comprising: 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server; and 

displaying particular error message pages on the sandbox server in response to 
communications on particular ports. 

24. (Currently amended) In a system comprising one or more client computers 
connected to the Internet by client premises equipment serving a routing function for 
client computers, a method for managing Internet access based on a specified access 
policy, the method comprising: 

transmitting a challenge plurality of challenges over a period of time from said 
client premises equipment to each client computer, for determining whether a given client 
computer is in compliance with said specified access policy during said period of time ; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 

redirecting a request for Internet access by any client computer that does not 
respond appropriately to any said challenge issued to it to a sandbox server. 

25. (Original) The method of claim 24, further comprising: 

displaying an error message on the sandbox server to any client computer that 
does not respond appropriately to said challenge. 

26. (Original) The method of claim 25, further comprising: 

after display of such error message, permitting said client computer to elect to 
access the Internet. 
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27. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating non-compliance is redirected to said sandbox 
server. 

28. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating compliance is permitted Internet access. 

29. (Original) The method of claim 24, further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
equipment to transmit a challenge to that particular client computer. 

30. (Original) The method of claim 29, wherein said initial message comprises a 
"client hello" packet. 

3 1 . (Original) The method of claim 24, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and redirecting other 
client computers to the sandbox server. 

32. (Original) The method of claim 24, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

33. (Original) The method of claim 24, wherein said access policy specifies which 
applications are allowed Internet access. 

34. (Original) The method of claim 24, wherein said access policy specifies 
executable names and version number of applications that are allowed Internet access. 

35. (Original) The method of claim 24, wherein said access policy specifies 
Internet access activities that are permitted or restricted for applications or versions 
thereof. 
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36. (Original) The method of claim 24, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location. 

37. (Original) The method of claim 36, wherein said remote location comprises a 
centralized location for maintaining said access policy. 

38. (Previously presented) The method of claim 24, wherein said step of 
redirecting a request for Internet access by a client computer includes: 

determining, based on identification of a particular client computer or group 
thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

39. (Original) The method of claim 24, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

40. (Original) The method of claim 24, further comprising: 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server; and 

displaying particular error messages on the sandbox server in response to 
communications on particular ports. 

41. (Original) The method of claim 24, further comprising: 

permitting client computers that are not in compliance with particular access 
policies to elect to access the Internet; and 

blocking computers that are not in compliance with other access policies from 
accessing the Internet. 

42. (Currently amended) The method of claim 24, wherein said access policy 
specifies which applications are allowed Internet access, and wherein said applications 
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are specified by digital signatures which are acceptable. 

43. (Original) The method of claim 42, wherein said digital signatures are 
computed using a cryptographic hash. 

44. (Original) The method of claim 43, wherein said cryptographic hash 
comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic 
hashes. 

45. (Currently amended) A system for regulating Internet access by client 
computers comprising: 

an access policy governing Internet access by said client computers; 

client premises equipment serving a routing function for each client computer to 
be regulated and capable of issuing a plurality of challenges over a period of time 
challenge to each client computer, for determining whether a given client computer is in 
compliance with said access policy during said period of time ; 

one or more client computers which can connect to the Internet and at least one of 
which can respond to challenges issued by said client premises equipment; and 

an enforcement module for selectively blocking Internet access to the Internet te 
for any client computers net that fail to respond in a manner that would establish that they 
are in compliance with said access policy. 

46. (Original) The system of claim 45, wherein said client premises equipment 
includes a router. 

47. (Original) The system of claim 45, wherein said access policy is provided at 
each client computer to be regulated. 



48. (Original) The system of claim 45, wherein said enforcement module is 
provided at said client premises equipment. 



49. (Previously presented) The system of claim 45, wherein said at least one client 
computer which can respond to challenges responds with a particular predefined code 
indicating noncompliance with said access policy and is blocked from Internet access. 

50. (Previously presented) The system of claim 45, wherein a client computer that 
responds with a particular predefined code indicating compliance with said access policy 
is permitted Internet access. 

5 1 . (Original) The system of claim 45, wherein at least one of the client computer 
is capable of transmitting an initial message to the client premises equipment before 
receipt of a challenge, for requesting the client premises equipment to transmit a 
challenge to that particular client computer. 

52. (Original) The system of claim 45, wherein said enforcement module is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

53. (Original) The system of claim 45, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

54. (Original) The system of claim 53, wherein said enforcement module is 
capable of determining, based on identification of a particular client computer or group 
thereof, a specific subset of said access policies filtered for that particular client computer 
or group thereof. 

55. (Original) The system of claim 45, wherein said access policy specifies 
applications that are allowed Internet access. 

56. (Original) The system of claim 55, wherein said applications are specified by 
executable name and version number that are acceptable. 

9 



57. (Original) The system of claim 55, wherein said access policy specifies types 
of activities which applications are allowed to perform or restricted from performing. 

58. (Original) The system of claim 55, wherein said applications are specified by 
digital signatures that are acceptable. 

59. (Original) The system of claim 58, wherein said digital signatures are 
computed using a cryptographic hash. 

60. (Original) The system of claim 59, wherein said cryptographic hash comprises 
a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic hashes. 

61. (Original) The system of claim 45, further comprising: 

a sandbox server to which client computers that are not in compliance with said 
access policy are redirected. 

62. (Original) The system of claim 61, wherein said sandbox server informs non- 
compliant client computers that they are not in compliance with said access policy. 

63. (Original) The system of claim 62, wherein said client computers client 
computers may elect to access the Internet after being informed that they are not in 
compliance with said access policy. 

64. (Original) The system of claim 61, wherein: 

said enforcement module is capable of redirecting a client computer that is not in 
compliance with a particular access policy to a particular port on the sandbox server; and 

said sandbox server is capable of displaying particular error message pages in 
response to communications on particular ports. 
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